Mail.ru: XXE on pulse.mail.ru

XML External Entity injection XXE in RSS/Atom feed parsing code in pulse.mail.ru allowed access to local files. All Mail.Ru projects are covered by extended scope bug bounty program...

Semmle: Authenticated Cross-Site-Request-Forgery

Summary: I have read the T&C to be eligible for bounty on this program. As per T&C authenticated CSRF requests are eligible for a bounty. I am not looking for the Bounty, However I want to give you an update on Authenticated CSRF that I have found. In the "Account Settings", a user can change his...

X (Formerly Twitter): Twitter ID exposure via error-based side-channel attack

Twitter ID Confirmator === Summary Recently I discovered a privacy-related vulnerability in Twitter. An attacker exploiting this vulnerability can identify a user when they visit a malicious website. Description Threat model: The attacker knows the victim’s Twitter ID/username and aims at...

VK.com: Просмотр инфы на странице пользователя или группы который тебя добавил в ЧС

Недостаточные проверки ЧС при доступе к открытой стене. i die ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██ ██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██...

VK.com: Просмотр аттачей удаленного сообщения.....

Просмотр аттачей удаленного сообщения из своих переписок...

Internet Bug Bounty: DOS in stream filters

see bug report https://bugs.php.net/bug.php?id=76249 as simple as one process running in an endless loop Impact DOS, process ends up in an endless loop, CPU or available php processes or both of affected system get easily exhausted...

Rockstar Games: Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS)

In this report, the researcher identified an image injection issue in the screenshot-viewer utility on our website that could be combined with other vulnerabilities to result in sensitive token theft. We were able to quickly push out an update to resolve the image injection issue, thereby...

Valve: Malformed map detailed texture files in GoldSrc games lead to Remote Code Execution

A crafted map detailed texture file maps/detail.txt can be used to exploit a stack overflow vulnerability in hw.dll that can lead to remote code execution. Reproduction I used Counter-Strike for PoCs. Using a listen server - Place attached csassaultdetail.txt in cstrike/maps folder - Start the ga...

Rockstar Games: Dom based xss on https://www.rockstargames.com/ via `returnUrl` parameter

In this report, the researcher identified a DOM-Based Cross-Site Scripting vulnerability in the Videos section of the GTAOnline site that appeared to only be exploitable on non-English versions of the site, such as /br/. The root cause appeared to lay in the ReturnUrl parameter in the logout...

X (Formerly Twitter): [Twitter Open Source] Releases were & are built/executed/tested/released in the context of insecure/untrusted code

Summary: CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check Twitter maintains several Open Source Projects under the Twitter GitHub organization. These projects contain build files that indicate that some of these projects are...

OLX: XSS inside HTML Link Tag

Hello, i discovered XSS in sharjah.dubizzle.com. XSS is reflected inside HTML Link tag so it need some condition to trigger the payload. Step to Reproduce - Visit https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert1337...

Valve: Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution

A crafted playlist.txt can be used to exploit a stack overflow vulnerability in GameUI.dll that can lead to arbitrary code execution. Reproduction Place attached playlist.txt in game directory valve, cstrike, etc.. The game will crash when it tries to play Splash track. Exploitability The file ca...

New Relic: CSRF at adding new role (user-management.service.newrelic.com)

Hey New Relic security team, I have discovered a CSRF-vulnerability allowing attacker to create new custom role on behalf of victim. The role creation endpoint does not implement correct CSRF-protection so it can be bypassed. The exploited works fine at least at latest Firefox browser. Steps to...

Internet Bug Bounty: phar_tar_writeheaders_int() buffer overflow

A buffer overflow has been found in the phartarwriteheadersint function. it does a strncpy to header-linkname from entry-link with the size of entry-link. As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.hL66 , header-linkname is a char of the size 100. Once entry-link...

Nextcloud: Uploading large avatar images cause excessive CPU usage

How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar tested with a 4032x3024 PNG image of about 14.5 MB. - Keep the selected area in the popup and save the avatar. - Notice that the avatar area shows the...

Omise: Open Redirect

Open Redirect Vulnerability URL : https://www.omise.co////bing.com/?www.omise.co/?category=interview&page=2 Parameter Type : URL Rewrite Attack Pattern : %2f%2f%2fr87.com%2f%3fwww.omise.co%2f How to Reproduce 1. Intercept the below url using Burpsuite & send it to repeater...

Nextcloud: Predictable Random Number Generator

Description: The mobile application uses a predictable Random Number Generator RNG. Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an...

Smule: Web cache poisoning leads to disclosure of CSRF token and sensitive information

Summary: The page https://www.smule.com/s/smulegroups/usergroups/username is vulnerable to web cache poisoning. Description: The page https://www.smule.com/s/smulegroups/usergroups/username is vulnerable to web cache poisoning, on adding X-Forwarded-Host header to the request multiple request lin...

Hanno's projects: Bypassing the fix of #503922

Hi, Just bypassed the fix of open redirect. See comments for more details. Best Regards, -MO Impact Open redirection...

Urban Dictionary: Domain does not Match SSL Certificate

Hi Team, While examining the domains that are in scope for Urban Dictionary, I noticed that https://urbandictionary.net is not currently protected by your SSL certificate. Steps to Reproduce: 1. Open Chrome and copy/paste the following into the search bar: https://www.urbandictionary.net 2. After...

50m-ctf: CTF write-up: c8889970d9fb722066f31e804e351993

So the CTF starts with this tweet. F434370 The first image is about the 50 million in bounties but the second one looks related to the CTF. The first thing that comes to mind when relating CTFs and images is "steganography". Using the all purpose steg tool zsteg as our first resort, we discover...

Semmle: the login blocking mechanism does not work correctly

Summary: The login block mechanism does not work correctly because it blocks the login for 1 minute and allows you to sign in again many times with specific pattern by allowing login 2 or 3 times after 1 minute Exploitation 1. open https://lgtm-com.pentesting.semmle.net/ 2. try to login with vali...

50m-ctf: Various vulnerabilities ultimately lead to attacker control over FliteThermostat server and access to internal accounting application source code

Step 1: The Entry Point 3:50 PM PST, Tuesday Afternoon F434398 This image is the entrypoint for the 50m-ctf. It doesn't look like much at first, but one can clearly see that there's a lot of binary digits in the background. The immediate obstacle to trying to decode it is we don't know how many...

Algolia: Web Cache Deception Attack (XSS)

@testingforbugs identified an issue related to web caching which could lead to XSS attacks...

VK.com: Делаем плейлист от любого(почти) пользователя/группы/артиста.

Отображение плейлиста от чужого имени...

8x8: Sensitive information disclosure

The third party marketing company that ran the www application had inadvertently exposed some the configuration files of their application...

8x8: Cross-site Scripting (XSS) - Reflected

The password reset page of the managers portal of VCC reflected input of the tenant parameter without proper encoding considerations. Just wanted to disclose as it's my first ever report on h1...

Hanno's projects: Open redirect on the https://tt.hboeck.de

Hi Team! Testing request: POST /public.php?return=%2F HTTP/1.1 Host: tt.hboeck.de ........... op=login&login=….&password=...&profile=0 Vulnerable parameter: return Method: POST - GET - OK POC: https://tt.hboeck.de/public.php?return=http%3a%2f%2fevil.com%2f&op=login&login=password=&profile=0 Impac...

PuTTY (European Commission - DIGIT): Assertion `col >= 0 && col < line->cols' failed, process aborted while streaming ouput from remote server

Summary: During the course of testing putty-0.70-2019-03-01.e0a7697 on Fedora 29 compiled with clang version 7.0.1 Fedora 7.0.1-4.fc29, we discovered it was possible to abort a remote client by streaming data at it in such a way as to trigger an assertion failure in terminal.c. putty:...

Unikrn: Path Disclosure Vulnerability http://crm.******.com

Hello, there is a path discovery on the server. https://crm.unikrn.com/plugins/MauticZapierBundle/MauticZapierBundle.php https://crm.unikrn.com/plugins/MauticCloudStorageBundle/MauticCloudStorageBundle.php and other scripts at https://crm.unikrn.com/plugins//.php . As an option to eliminate the...

Mail.ru: [XSS] postMessage в jsapi/button

XSS via postMessage handler in o2.mail.ru...

WePay: Active mixed content issues on the site https://stage-go.wepay.com.

Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...

Unikrn: █████████ on CRM server without authorization

The https://crm.unikrn.com/███████ file is available on the server https://crm.unikrn.com without authorization. Anyone can run this script. How to classify this vulnerability - leave the right for you. Impact Anyone can run this script...

X (Formerly Twitter): Multiple XSS on account settings that can hijack any users in the company.

Note: Hello Twitter Team, I just noticed that my report 485748 is already fixed, can you confirm? but my other duplicate reports aren't and still exists. 492444 492913 are you sure it's on the same root cause? because I think the broad fix is already released but didn't fix the other issues. I wi...

Slack: Real Time Error Logs Through Debug Information

Summary: During the assessment, I have found the debug URL on slackb.com which is disclosing the World Wide real time error logs of Slack users. The information leaked includes the following: 1. User Device Information 2. Redacted Token 3. Client IP Address 4. Description 5. Session ID 6. Team ID...

VLC (European Commission - DIGIT): Access Violation Reading EXPLOITABLE_0228

1 Basic info of application 1.1 Info of application Application NamevVLC media player for Windows Application Versionv4.0.0-dev Otto Chriek Download Address: http://nightlies.videolan.org/ Testing OS: Windows 8 2 Info of test file 2.1 Test file info Normal file name: normal.mkv Normal file type:...

X (Formerly Twitter): Html Injection and Possible XSS via MathML

Hi, I would like to report HTML Injection and possible cross site scripting XSS vulnerability using the MathML on Firefox. Account title of field is vulnerable to Html Injection which can lead an attacker to store javascript using the MathML in Firefox. Modern Firefox versions allow usage of inli...

VK.com: [0.vk.com] Reflected XSS на странице подтверждения.

XSS в старых версиях IE на мобильной версии сайта, доступной некоторым операторам. Reflected XSS на поддомене 0.vk.com. only IE\MTS\Beeline...

VLC (European Commission - DIGIT): Access Violation Reading in libfaad_plugin

1 Basic info of application 1.1 Info of application Application Name VLC media player for Windows Application Version 4.0.0-dev Otto Chriek Download Address http://nightlies.videolan.org/ Testing OS Windows 8 2 Info of test file 2.1 Test file info Normal file name normal.mkv Normal file type...

Starbucks: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

This report from @spaceraccoon demonstrated a valid attack resulting in RCE and full compromise of the target. The detailed and thorough report was especially helpful throughout the triage process, and ultimately helped us reproduce and resolve the issue as quickly as possible. The vulnerable sit...

Semmle: Email addresses exposed in getPersonBySlug API

This researcher pointed out that the getPersonBySlug method in the internal API the API which our frontend code uses to retrieve data from the system exposed the email addresses of users who had connected Google accounts to their LGTM accounts. Since this API method does not check any...

GitLab: Attacker is able to access commit title and team member comments which are supposed to be private

Summary: add summary of the vulnerability Description: add more details about this vulnerability Steps To Reproduce: To reproduce this vulnerability, we need two accounts, lets say those accounts are: - [email protected] - [email protected] - Create a project from account [email protected] with th...

Rootstock Labs: Traffic amplification attack via discovery protocol

A vulnerability was discovered in the RSKJ node's UDP discovery protocol that allowed for traffic amplification DDoS attacks. The ping-pong mechanism intended to protect against this was not properly implemented, allowing an attacker to successfully finish it even with a spoofed IP. By sending a...

Mail.ru: Reflected XSS in https://light.mail.ru/login via page

Reflected XSS via GET parameter in light.mail.ru...

New Relic: Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints

Around November of last year you switched to using Zoura https://www.zuora.com/ to handle your New Relic customer subscriptions. As a restricted user without administrative privileges, I am unable to view and data associated with the billing page https://rpm.newrelic.com/accounts/1523936/payments...

Monero: Zero-amount miner TX + RingCT allows monero wallet to receive arbitrary amount of monero

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: By mining a...

Rocket.Chat: Upload of Avatars for other Users

The vulnerability allowed unprivileged users to upload avatar pictures on behalf of other users. The effect of the exploit depended on the storage backend, with the default GridFS being affected. The vulnerability was found in the Rocket.Chat development version at commit 5f0180dc...

Rocket.Chat: Guest Privilege Escalation to admin group

The vulnerability allowed a guest user to escalate privileges to the admin group. The guest user first added themselves to the bot group, which had the "manage-own-integrations" permission. Using this, the user created a malicious integration script that added the user to the admin group. The...

Rocket.Chat: Online Status of arbitrary users can be changed

A vulnerability was discovered in a third-party Meteor module, Konecty/meteor-user-presence, that allowed the online status of arbitrary users to be changed without proper authentication. This was possible by sending crafted HTTP requests or WebSocket data with specific payloads. The issue was...

X (Formerly Twitter): url that twitter mobile site can not load

Summary: A url that twitter mobile site can not load, crushes any page containing this url Description: Invalid hex characters crushes twitter mobile site as example go to https://mobile.twitter.com/?%xx twitter won't load. 1 Sending such url on a direct message, twitter will no longer be able to...